Version 2019.13
New Features
- Generic anomaly sidebar for threats
- Host Listing and Sidebar Improvements
GENERIC ANOMALY SIDEBAR FOR THREATS
Lastline now provides a separate detailed evidence sidebar for anomalies. Anomaly Detection on network data is based on machine learning algorithms that identify anomalies in network protocol data or anomalous activity/behavior of hosts within the network. Detailed evidence for such anomalies include explanation of the anomalies, netflow data (where applicable) or protocol specific data that identifies why the anomaly triggered.
This new feature was tracked internally as FEAT-4589
HOST LISTING AND SIDEBAR IMPROVEMENTS
Lastline has provided additional enhancements for security analysts interacting with Host Listing. Information on OS and device type is provided in the host sidebar that provides detailed information on each host selected from the list. Additional improvements include search for IP ranges and support for CIDR blocks
This new feature was tracked internally as FEAT-4894
Detection Improvements
- TRES-948: Improved detection of malware abusing remote XLS files using WMI queries.
- TRES-1038: Improved detection of macro-based XLS ursnif downloader that is using multiple macro-modules for evasion.
- TRES-1002: Improved certificate extraction from PE samples.
- TRES-919: Reduce false positives on benign LNK file that points to a locally installed program
- TRES-1092: Improved detection of macro-based XLS ursnif downloader that is using filename check for evasion.
- TRES-1041: Improved scanners to include MITRE ATT&CK information
- TRES-1032: Improved detection of malicious binary file that is packed with a custom packer.
Bug Fixes and Improvements
- FEAT-5038: Extend the Analyst API submission helper tools to support providing password candidates.
- SENT-2607: Fix to a suricata bug where extraction of emails out of SMTP exchanges would always extract only the first message transferred within each flow.
- FEAT-4636: Revised logic for the extraction of network traces upon IDS alerts. The new logic carries a number of improvements:
- Ability to handle cases where multiple alerts trigger on different segments of the same flow.
- Ability to extract pcap traces for alerts that have triggered "deep" in the flow
- PLTF-1173: Status of sending messages to McAfee TIE via the OpenDXL integration is now visible in the appliance monitoring logs of the appliance.
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
KnowledgeBase features deprecation schedule
The following KnowledgeBase features will be deprecated in the Lastline Enterprise Hosted 2020.0 release:
- To improve performance, the KnowledgeBase clustering service will be discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
- All strings will remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you cannot search for strings by sub-key location (heap, stack, memory block or executable section).
- The KnowledgeBase will no longer provide the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1140
Distribution Upgrade
Sensor 1140, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor {sensor_version}. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.